From c8eb38ad461cde10e8b7ea7cfe5f75c9d28b6b08 Mon Sep 17 00:00:00 2001 From: Julian Ladisch Date: Tue, 3 Feb 2026 15:40:40 +0100 Subject: [PATCH] EUREKA-860: brace-expansion to 1.1.12 fixing ReDoS CVE-2025-5889 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://folio-org.atlassian.net/browse/EUREKA-860 Eureka Sunflower uses a vulnerable brace-expansion version (1.1.11): https://github.com/folio-org/platform-lsp/blob/R1-2025-csp-4/yarn.lock#L3866 Details: * https://github.com/advisories/GHSA-v6h2-p8h4-qcjw – CVE-2025-5889 * https://github.com/juliangruber/brace-expansion/pull/65/files Task: Bump brace-expansion from 1.1.11 to 1.1.12 in the Sunflower branch of platform-lsp. --- package.json | 1 + yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 6f70bf6..a836dfd 100644 --- a/package.json +++ b/package.json @@ -108,6 +108,7 @@ "@rehooks/local-storage": "2.4.5", "@folio/stripes-acq-components": "7.0.5", "@folio/stripes-authorization-components": "2.0.8", + "brace-expansion": "^1.1.12", "colors": "1.4.0", "final-form": "^4.20.4", "minimist": "^1.2.3", diff --git a/yarn.lock b/yarn.lock index e6f992d..0359e00 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3862,10 +3862,10 @@ boxen@^7.0.0: widest-line "^4.0.1" wrap-ansi "^8.1.0" -brace-expansion@^1.1.7: - version "1.1.11" - resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd" - integrity sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA== +brace-expansion@^1.1.12, brace-expansion@^1.1.7: + version "1.1.12" + resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.12.tgz#ab9b454466e5a8cc3a187beaad580412a9c5b843" + integrity sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg== dependencies: balanced-match "^1.0.0" concat-map "0.0.1"